Archive for December 2017

For many large organizations, emails from corporate printers and scanners are commonplace, and cyber-criminals are finding this vector to be a lucrative host to launch cyber-attacks.

Barracuda Networks has tracked an uptick in attacks through Canon, HP and Epson printer and scanner email attachments of late: Since late November, cyber-criminals have made millions of attempts to infect unsuspecting users by sending impersonated or spoofed emails from these common printer and scanner brands, with attachments that contain malware.

“Aside from the coffee maker and the office water cooler, few devices receive the magnitude of use that the corporate printer is subjected to on a daily basis,” said Barracuda SVP of technology, Fleming Shi, in a blog. “This is because these machines function way beyond the boundaries of a simple printer; in fact, they’re commonly used to scan and copy pages and can even be called upon to send emails of scans as an easy way to receive PDF versions of documents.”

Typically, the subject line of the malicious emails would seem routine: “Scanned from HP”, “Scanned from Epson” or “Scanned from Canon,” for instance. Using modified file names and extensions, the attackers are also able to hide the malicious code and bypass security measures such as email antivirus systems. So end users are often none the wiser about the attack.

Once unpacked, the malware installs a backdoor on the machine that offers unauthorized access to a victim PC and cyberespionage capabilities. This includes the ability to monitor user behavior, change computer settings, browse and copy files, utilize bandwidth for criminal activity, access connected systems, and more. It also scans connections in an attempt to escalate from having user rights on the workstation to having local administrator rights.

Further, indicating a ramsomware-ready aspect, attackers also can change the victim’s wallpaper to display a message of their choice.

Workers should use common sense to avoid the threat: Shi advocates double-checking with the sender if one didn’t know a scanned document was coming; hovering the mouse over every hyperlink to make sure it’s legitimate; and simply not clicking if there’s any doubt whatsoever.

VenusLocker Switches Tactics from Ransomware to Monero Mining

A new, but also familiar, malware attack scheme has emerged, targeting the cryptocurrency market: The VenusLocker group has switched its crosshairs from extortion via ransomware to mining Monero.

According to the FortiGuard Labs team, an attack was observed targeting South Korea, which arrives via phishing emails using a variety of social engineering contexts. One variant pretends to be from a South Korean online garment seller who falsely claims that the recipient’s information from their website has been leaked due to a website hack. Another variant we found threatens that the recipient's website is legally liable for images being abused without consent. It then recommends that the recipient open the attached file to check the images in question.

“And of course, the email explains that the (infected) attachment should be opened for more details and instructions,” said Joie Salvio, researcher at Fortinet, in an analysis. The attachment instead begins the process of infecting the target with Monero-mining malware.

Further analysis revealed that the mechanics of the payload matches the scheme used by VenusLocker in the past.

“To confirm this assumption, we had to take a closer look at the shortcut files’ metadata, and sure enough, we found a direct relation to the ransomware,” said Salvio. “Aside from the target paths, the shortcut files used during the VenusLocker ransomware period are practically identical to the ones being used in this campaign.”

It could be that this switch in focus from ransomware to crytocurrency mining is the start of a new trend for the coming year, thanks to cryptocurrency values being more enticing than ever. Monero, an open-source cryptocurrency created in April of 2014, was trading at around $400 at press time.

“With the security industry’s constant effort to combat ransomware, the ability for cyber-criminals to successfully encrypt user files should no longer be a cake walk,” said Salvio. “For instance, this past October, Microsoft added a Controlled folder access feature to Windows Defender Security for Windows 10 users to prevent malicious (or unexpected) alteration of important files. Features such as this can effectively thwart ransomware attacks. Which is probably part of the reason why the threat actors behind VenusLocker decided to switch targets.”

Malvertising Sees an Unlikely Dip in Q3

According to RiskIQ’s Q3 2017 report on the subject, the firm scanned 53% fewer advertisements containing a blacklisted incident—phishing, scams, exploit kits and malware—than Q2, reversing a trend from the second quarter which found a 19% increase in total malvertising over Q1.

Exploit kits have continued to decline, but malware, which decreased by almost 45% last quarter, was the only type of malvertising to increase in Q3. Meanwhile, phishing, which rose over 100% last quarter, experienced a considerable decline, which could mean attackers thought it wise to pivot to dropping malware from trying to trick users into clicking on deceptive ads that may lead to pages requesting sensitive data.

“Although our data shows a 21% drop in scams (disingenuous advertising), it continues to be a favorite tactic of threat actors—RiskIQ detected almost 990,000 incidents in Q3 and profiled several new tactics,” the firm said. “Scammers drive immense amounts of valuable traffic to their sites via vast scam networks. Their fraudulent landing pages (take a survey to win a free PlayStation!), are often ignored by typical malvertising detection methods because of the gray nature of their payloads but can grow to enormous sizes and degrade the quality of the internet.”

RiskIQ also recently released its Q3 2017 phishing trends report, showing that its research team observed 931,665 unique blacklisted phishing URLs.

Of these, 27,868 were unique domains, down from the 39,320 in Q2. In fact, overall detections have decreased slightly in Q3—RiskIQ observed a total of 279 brands targeted by phishing campaigns in Q3, down from the 316 in Q2.

“This is because the nature of phishing campaigns is cyclical,” the report noted. “While the method and frequency of phishing campaigns vary, the threat remains consistent.”

One constant is the Top 10 brands being observed, all but three of which are the same between Q2 and Q3. As far as the new brands, two are large financial institutions, and the third is a social media platform.

In terms of segments, financial services (accounting for 40% of targets) and digital transaction brands (20% of targets) continue to be favorite targets. Social media platforms made up 10% of targets, as did cloud storage providers. Large tech companies accounted for 20%.

Experts Rail Against Internet Password 'Organizers'

Security experts have warned consumers against buying their loved ones “username/password” organizers this Christmas as it encourages poor security practice.

Various retailers including Amazon, Etsy, and Blackwell’s are selling the pocket-sized notebooks, advertised as being a “convenient place” to store all one’s online log-ins.

While these items have been selling for a few years now, security experts are becoming increasingly vocal about their concerns in light of rising cyber-threat levels.

ESET security specialist, Mark James, argued that users should be looking to online password managers rather than physical log-in organizers like these.

“We do need all the help we can get, but we also need to consider the dangers of stockpiling information that others could gain access to,” he said.

“If it were to be lost, then anyone finding the item would be able to use the data to compromise your accounts. A notebook listed in alphabetical order loudly shouting 'logins and passwords' is waiting to be lost or stolen.”

Bill Evans, senior director at One Identity, added that an item labelled “password logbook” might as well be called “steal my identity here”.

“If you have to write your passwords down, don’t advertise their location by using a book that screams, ‘PASSWORDS HERE’. By all means, utilize multi-factor authentication everywhere you possibly can. Don’t let the Grinch steal both Christmas and your identity during the same holiday season.”

The need for multi-factor authentication options on more websites was given added urgency last week after dark web researchers found an underground database containing a staggering 1.4 billion breached credentials.

To make matters worse, the trove of log-ins is set-up so that cyber-criminals can easily search and locate what they’re looking for.

Researchers investigating the database found the most common passwords to be “123456” — featured over 9.2 million times.

Nissan Canada Data Breach: 1.1 Million Customers Notified

Nissan Canada’s finance business revealed on Thursday that all of its 1.13 million current and former customers may have had their details compromised in a data breach.

The carmaker was keen to point out that no payment information was compromised, but said the following might have been: customer name, address, vehicle make and model, vehicle identification number (VIN), credit score, loan amount and monthly payment.

The breach affects some customers that financed their vehicles through Nissan Canada Finance (NCF) and INFINITI Financial Services Canada, although the firm is still working out exactly how many are affected.

That said, it’s erring on the side of caution by informing all current and former customers and offering them 12 months of free credit monitoring services through TransUnion.

Privacy regulators, police and data security experts have been engaged to investigate the incident and NCF said that there’s currently no reason to believe customers outside of Canada are affected.

"We sincerely apologize to the customers whose personal information may have been illegally accessed and for any frustration or inconvenience that this may cause," said Alain Ballu, president, Nissan Canada Finance. "We are focused on supporting our customers and ensuring the security of our systems.”

Nissan’s travails come at the end of another stand-out year for big-name data breaches.

The past 12 months has seen Yahoo admit a 2013 breach had tripled in size to affect all three billion users; Uber reveal it paid hackers to delete stolen data on 57m users; and Equifax allow hackers to make off with highly sensitive financial info on 145.5m Americans.

That’s not to mention a string of privacy leaks at organizations including Verizon, WWE, the US Department of Defense and many more following cloud database misconfigurations.

The most recently discovered privacy snafu at analytics firm Alteryx leaked data on 123m Americans, virtually every household in the country.

It apparently included key data belonging to partner Experian, an Equifax rival and one of the big three US consumer credit reporting agencies.

Tech Giants Take Steps to Disrupt Lazarus Group

Microsoft and Facebook have joined other members of the security community in taking steps to disrupt the ongoing operations of the infamous North Korean Lazarus Group, now officially blamed for WannaCry.

The two tech giants released separate statements earlier this week briefly detailing actions they took last week to make life difficult for the notorious cybercrime group, also known as ZINC.

Facebook said it deleted accounts linked to the group, in a bid to make it harder for its threat actors to conduct their activities.

It added:

“Similar to other threat groups, they largely used personal profiles and pretended to be other people in order to do things like learning about others and building relationships with potential targets. Our actions were not focused on the WannaCry malware itself.

We also notified people who may have been in contact with these accounts and gave suggestions to enhance their account security, as we have done in the past about other threat groups. We will continue to work closely with companies to investigate and counteract these types of threats to our collective security.”

Unlike the social network, Microsoft’s work last week appears to have been more focused on the malware side.

“Among other steps, last week we helped disrupt the malware this group relies on, cleaned customers’ infected computers, disabled accounts being used to pursue cyberattacks and strengthened Windows defenses to prevent reinfection,” explained president, Brad Smith.

“We took this action after consultation with several governments, but made the decision independently.”

The news comes as the White House officially blamed North Korea this week for the ransomware attack that caused widespread chaos around the world in May, infecting hundreds of thousands of endpoints in 150 countries and forcing the cancellation of an estimated 19,000 NHS operations and appointments.

Although some have criticized the US government for failing to reveal any evidence to support the claims, the news was welcomed by Smith.

“We are pleased to see these governments making this strong statement of attribution. If the rising tide of nation-state attacks on civilians is to be stopped, governments must be prepared to call out the countries that launch them,” he said. “Today’s announcement represents an important step in government and private sector action to make the internet safer.”

Trend Micro: Beware of Travel Scammers Offering Huge Discounts

Researchers have warned of a growing black market trade in heavily discounted travel services made possible by stolen credit cards, hacked loyalty program accounts and fraudulent redemption of discounts and freebies.

Trend Micro claimed such offers are freely advertised not just on the dark web and underground forums, but also Telegram channels and even social network postings.

These include flights discounted by 50% or more because the cyber-criminal has paid for a large part of them using stolen travel points or frequent flyer miles.

“They usually buy these flights at the last minute; by the time the airline company notices the fraudulent transaction, the buyer has already gotten off the flight,” explained Trend Micro.

Discounted taxi and car-sharing rides, and cheap car rentals, are also available via stolen membership cards and package deals, while stolen loyalty card details allow buyers to book reservations at luxury hotels for up to 70% less than the regular price.

Even restaurant gift and loyalty cards are apparently available.

Many of the tickets and packages mentioned in the report are traded on dark web site Dream Market, but there are numerous underground travel agencies where flights and hotels are discounted by as much as 50%, according to Trend Micro.

Even a two-day trip to the upcoming FIFA World Cup in Russia is available for just $500 — half the usual price — and only $60 for a hotel.

The report added:

“There’s a downside in attempting to reduce your travel cost when availing these illegal services: getting your money's worth is not always guaranteed, and sometimes, you don't get anything at all. Scanning the underground forums, we found one buyer of a business class flight who complained about being unable to contact the seller when he found out that his purchase didn’t include a return flight … There’s also a customer who ordered three flight tickets for a trip, but were canceled before departure, among others.”

Trend Micro urged travel companies to be more rigorous in validating the identity of their paying customers and the cards they use, and to beware of malware directed at gateways, endpoints, networks and servers.

Users should be cautious of scams and heavily discounted tickets and enable 2FA for all log-in and online purchases, it concluded.

Cron-Linked Malware Impersonates 2,200 Banking Apps

Security researchers are warning of new malware designed to harvest banking and card details, which could be linked to the infamous Cron cybercrime group.

The Catelites Bot shares similarities with the CronBot banking Trojan which was used to steal $900,000 before the group behind it were arrested earlier this year by the Russian authorities.

That’s according to Avast’s head of mobile threat intelligence and security, Nikolaos Chrysaidos, who said it is “likely” that Cron members have used the malware in their campaigns.

The malware is dropped onto victim Android devices via fake apps on third-party stores, malvertisements or phishing pages, and appears on the user’s screen as an innocuous-looking icon called “System Application”.

If the user clicks on it the malware will ask for admin permissions, and if granted, it will remove the icon and replace it with the familiar looking Gmail, Chrome and Google Play icons.

The hacker is banking on users clicking on these popular apps at some point, and if they do it will display a fake overlay requiring them to enter their credit card details.

That’s not all: the malware also has functionality allowing it to pose as legitimate-looking banking apps from over 2,200 financial institutions.

“Once you open your own banking app, the malware activates and places a fake overlay on your actual banking app, tricking you into entering your bank login details and also your credit card info. Once you provide this, they have access to your account and credit card,” explained Chrysaidos.

“The overlay is HTML-based and not as sophisticated as other Android banking malware such as LokiBot, Red Alert, or Exobot, but the power here is clearly in the shotgun approach: using simple phishing overlay screens, the criminals are able to target many more users, increasing their likelihood of financial gain.”

Avast has found a host of other functionality which has not yet been activated, including interception of in- and outgoing SMS messages.

“It can persistently ask for specific admin rights that could wipe data from your device or even lock you out completely,” Chrysaidos added.

Security Pros Waste 40 Hours Per Month Thanks to Inefficient Systems

The majority of IT decision-makers think the average cybersecurity professional wastes as much as 10 hours a week due to inadequate software.

According to a LogRhythm-sponsored survey of 751 IT decision-makers from the US, UK and Asia/Pacific, more than one-third of them also say their teams spend at least three hours a day on tasks that could be handled by better software.

The study, conducted by Widmeyer, further found that an overwhelming majority (88%) of respondents view insider threats as a dangerous and growing concern in defending their organizations.

The results come as the cybersecurity workforce is failing to keep up with demand. By 2021, there are estimated to be an astounding 3.5 million unfilled cybersecurity positions worldwide.

“The proliferation and innovation of business-enabling technology combined with the speed of today’s advanced hackers to adopt and adapt to the latest technology is making it increasingly difficult—if not impossible—for security teams to evolve their rapid threat detection and response capabilities as quickly as their adversaries,” said James Carder, chief information security officer (CISO) and vice president of LogRhythm Labs.

Artificial intelligence (AI) has been floated as a critical weapon that organizations can use to fight the cyber-war. The study asked about participants’ attitudes toward AI, and found that IT executives in the US believe that AI “will be the biggest game-changer for security over the next several years”. Decision-makers expect that faster threat detection will be the No 1 benefit of cloud-based AI security, followed by superior data analysis and improved collaboration.

Today, less than half of all the organizations surveyed use some form of AI to combat cyberthreats. Among organizations that do rely on AI, more than 90% believe it has improved the effectiveness of their cybersecurity operations.

Five Arrested in Joint Europol-FBI Ransomware Sting

Romanian authorities have arrested three suspected cyber-criminals on charges of spreading ransomware.

Two other suspects from the same criminal group were arrested in Bucharest in a parallel ransomware investigation linked to the US, according to Europol.

In a search of six houses, investigators seized a significant amount of hard drives, laptops, external storage devices, cryptocurrency mining devices and numerous documents. The criminal group is being prosecuted for unauthorized computer access, serious hindering of a computer system, misuse of devices with the intent of committing cybercrimes and blackmail.

In early 2017, the Romanian authorities received detailed information from the Dutch High Tech Crime Unit and other authorities that a group of Romanian nationals were involved in sending spam messages. This spam was specifically drafted to look like it was sent from well-known companies in countries like Italy, the Netherlands and the UK. The intention of the spam messages was to infect computer systems and encrypt their data with the CTB-Locker ransomware, aka Critroni. Each email had an attachment, often in the form of an archived invoice, which contained a malicious file. Once this attachment was opened on a Windows system, the malware encrypted files on the infected device. More than 170 victims from several European countries have been identified to date, Europol said.

In addition to the spread of CTB-Locker, two people within the same Romanian criminal group are also suspected of distributing the Cerber ransomware to a large number of computer systems in the United States. After US authorities issued an international arrest warrant for the two suspects, they were arrested in Bucharest while trying to leave the country.

In both cases, the perpetrators were using a ransomware-as-a-service offering.

The law enforcement operation, dubbed Bakovia, was a joint investigation carried out by the Romanian Police, the Romanian and Dutch public prosecutor’s office, the Dutch National Police, the UK’s National Crime Agency, the FBI and the support of Europol’s European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce (J-CAT).